Using IAIK Provider for the Java™ Cryptography Extension (IAIK-JCE) with JBoss AS 7

Version 1

    hi

    has anyone out there had any success using the IAIK JCE provider with JBoss AS 7?

     

    when we run the following code:

     

        IAIK.addAsProvider(true);
        try {
          PKCS12 p12 = new PKCS12(new FileInputStream(filename));
          p12.decrypt(password.toCharArray());
        } catch (Exception e) {
          logger.error("Error thrown when decrypting pks file.", e);
        }
    

     

    When we run the above code using IAIK version 4 or 5 JAR file packaged within a web application we get a stack trace like the following:

     

    17:35:53,369 INFO  [stdout] (ajp-/10.14.30.139:8009-1) Installed security providers providers:

    17:35:53,369 INFO  [stdout] (ajp-/10.14.30.139:8009-1)

    17:35:53,369 INFO  [stdout] (ajp-/10.14.30.139:8009-1) Provider 1: IAIK  version: 4.0

    17:35:53,369 INFO  [stdout] (ajp-/10.14.30.139:8009-1) Provider 2: SUN  version: 1.6

    17:35:53,370 INFO  [stdout] (ajp-/10.14.30.139:8009-1) Provider 3: SunRsaSign  version: 1.5

    17:35:53,370 INFO  [stdout] (ajp-/10.14.30.139:8009-1) Provider 4: SunJSSE  version: 1.6

    17:35:53,370 INFO  [stdout] (ajp-/10.14.30.139:8009-1) Provider 5: SunJCE  version: 1.6

    17:35:53,370 INFO  [stdout] (ajp-/10.14.30.139:8009-1) Provider 6: SunJGSS  version: 1.0

    17:35:53,370 INFO  [stdout] (ajp-/10.14.30.139:8009-1) Provider 7: SunSASL  version: 1.5

    17:35:53,370 INFO  [stdout] (ajp-/10.14.30.139:8009-1) Provider 8: XMLDSig  version: 1.0

    17:35:53,370 INFO  [stdout] (ajp-/10.14.30.139:8009-1) Provider 9: SunPCSC  version: 1.6

    17:35:53,441 ERROR [org.epo.product.jboss.ref1.web.iaik.PksFileParser] (ajp-/10.14.30.139:8009-1) Error thrown when decrypting pks file.: iaik.pkcs.PKCSException: Unable to decrypt PrivateKey! iaik.pkcs.pkcs8.b: Unable to decrypt private key: javax.crypto.BadPaddingException: Given final block not properly padded

            at iaik.pkcs.pkcs12.AuthenticatedSafe.decrypt(Unknown Source) [iaik_jce-signed-4.0.jar:4.0]

            at iaik.pkcs.pkcs12.PKCS12.decrypt(Unknown Source) [iaik_jce-signed-4.0.jar:4.0]

            at org.epo.product.jboss.ref1.web.iaik.PksFileParser.openPkcs12(PksFileParser.java:57) [classes:]

            at org.epo.product.jboss.ref1.web.iaik.PksFileParser$Proxy$_$$_WeldClientProxy.openPkcs12(PksFileParser$Proxy$_$$_WeldClientProxy.java) [classes:]

            at org.epo.product.jboss.ref1.web.iaik.upload.PfxFileUploadBean.parseUpload(PfxFileUploadBean.java:74) [classes:]

            at org.epo.product.jboss.ref1.web.iaik.upload.PfxFileUploadBean$Proxy$_$$_WeldClientProxy.parseUpload(PfxFileUploadBean$Proxy$_$$_WeldClientProxy.java) [classes:]

            at org.epo.product.jboss.ref1.web.iaik.upload.PfxFileUploadServlet.doPost(PfxFileUploadServlet.java:109) [classes:]

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at org.jboss.as.web.session.ClusteredSessionValve.handleRequest(ClusteredSessionValve.java:134) [jboss-as-web-7.2.0.Final-redhat-8-bz-970751.jar:7.2.0.Final-redhat-8]

            at org.jboss.as.web.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:99) [jboss-as-web-7.2.0.Final-redhat-8-bz-970751.jar:7.2.0.Final-redhat-8]

            at org.jboss.as.web.session.JvmRouteValve.invoke(JvmRouteValve.java:92) [jboss-as-web-7.2.0.Final-redhat-8-bz-970751.jar:7.2.0.Final-redhat-8]

            at org.jboss.as.web.session.LockingValve.invoke(LockingValve.java:64) [jboss-as-web-7.2.0.Final-redhat-8-bz-970751.jar:7.2.0.Final-redhat-8]

            at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)

            at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)

            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at org.epoline.security.tomcat.SpnegoAuthenticator.invoke(SpnegoAuthenticator.java:130) [epo-spnego-tomcat-1.2.3-EAP6.jar:1.2.3-EAP6]

            at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat-8-bz-970751.jar:7.2.0.Final-redhat-8]

            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:488) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

            at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_37]

     

    Anybody come across similar issues? It looks not to be a JBoss AS 7 issue per se since if we run code like below it works well.

     

        IAIK.addAsProvider(true);
        try {
          KeyStore store = KeyStore.getInstance("pkcs12", provider);
          store.load(fileInputStream, password.toCharArray());
    
          Enumeration<String> aliases = store.aliases();
          while (aliases.hasMoreElements()) {
            logger.info("Alias: " + aliases.nextElement());
          }
        } catch (Exception e) {
          logger.error("Error thrown when decrypting pks file.", e);
        }
    

     

      However we need to use the IAIK-JCE explicitly as shown above. Any questions or experiences with IAIK most welcome.

     

    - Oliver